Re: Active Phishing Attack Against EDUs

[Shawn Shirley <sshirley () FERRUM EDU>]

For your FYI.

*Shawn Shirley*
Director of Administrative Computing
Ferrum College Information Services
Office: 540.365.4248 <javascript:void(0);> | Email: sshirley () ferrum edu

Ferrum College | PO Box 1000 | Ferrum, VA 24088



On Wed, Jun 20, 2018 at 4:45 PM Sargent, Joe E <Joe.Sargent () ws edu> wrote:

> Earlier today most of our employees received a phishing email that
> appeared to be from our president.  After some research we found that were
> able view the site structure where the link directed users.  We were the
> only school in the list at that time.  As the day has progressed more and
> more schools have been built into the structure.  Some schools were there
> and then were modified to other schools. So, this is very active.  They
> even have a certificate on the site to make it more legitimate.  The PDF in
> the email did not have any active content but did contain the link to the
> website.  Here are the schools we have seen so far and have not been able
> to contact (this appears to still be active with schools being added
> throughout the day)…
>
>
>
> Central Methodist University
>
> Columbia College in Missouri
>
> Champlain College
>
> Walla Walla Community College
>
> Waldorf University
>
> Middlebury College
>
> Texas A&M University San Antonio
>
>
>
> Many of these schools may have already had emails go to their users… Other
> maybe not.  Below is the information we have gathered that may help you
> protect your users…
>
>
>
> Our initial email came from… (might be different for you)  *From:* Robin
> Esparza [mailto:resparza () lbschools net <resparza () lbschools net>]
>
>
>
> The link in the document directs you to one of these for your school…
> (however, we have seen the links change and it is possible that this is not
> your school now – see notes below)
>
> Your school will be represented by an abbreviation in the root of the web
> site
>
>
>
> Mokaortmdesm.club/<yourschool>/index.php
>
> Mokaortmdesm.club/<yourschoolhttps>/index.php
>
>
>
> IP address of web site: 89.36.213.44
>
>
>
> The method used to ID schools was to go to the link and input fake
> information and click submit.  This then sent us to a link at the target
> school that would make a user believe the original email was real because
> it is policy etc.  We have seen this link change for some schools and later
> point to another school.  So, if the link it not there now then look at the
> folders at the root of the web site to be sure that your school has not
> been moved to another folder.
>
>
>
> If you go to the top level of the website you can actually see the
> directory structure.  To actually find out where each is pointing to you
> have to click the folder/file and then click download on the web site.
> Enter fake information and then it will take you to a linked page at the
> targeted school.  It took us a while to figure this out.  Again, this is
> active and they appear to have made changes to files and links.  We have
> seen their processes change as they create more sites.
>
>
>
> I hope this helps you.  Apologies if it turns out to be nothing but at
> least you can block your users from getting to the web site.
>
>
>
> Thank you,
>
> Joe
>
> _____________________________________________________________
> Joe Sargent [image: cid:image001.png@01CD9D7C.A1CFD430] Assistant Vice
> President for Information and Educational Technologies (IET) and CIO
> Walters State [image: cid:image001.png@01CD9D7C.A1CFD430] Jack E.
> Campbell College Center Suite 314 [image:
> cid:image001.png@01CD9D7C.A1CFD430] 500 South Davy Crockett Parkway
>
> Morristown, TN 37813 [image: cid:image001.png@01CD9D7C.A1CFD430] Voice
> (423) 585-6836 [image: cid:image001.png@01CD9D7C.A1CFD430] Fax: (423)
> 585-2630 [image: cid:image001.png@01CD9D7C.A1CFD430] E-mail:
> joe.sargent () ws edu <joey.sargent () ws edu>
>
>
> This transmission, regardless of modality, may contain confidential
> information and may be subject to protection under the law. If you are not
> the intended recipient, or an authorized agent for the intended recipient,
> you are hereby notified that use, such as but not limited to disclosure,
> copying, or distribution, is prohibited. Please destroy any and all copies
> immediately and notify the sender of this erroneous receipt.